Table of Contents
config.yaml StructureBackend Object)
ConfigPKI)ConfigSSHCertificateAuthority)BWLimit)WebSocketConfig)ECH Object)BackendECH Object)tlsclientflowchart LR
subgraph Incoming TLS Connections
h1("web.example.com")
h2("foo.example.com")
h3("bar.example.com")
h4(...)
end
prx(((TLSPROXY)))
subgraph Backend Services
be1(HTTP Server)
be2(HTTPS Server)
be3(IMAP, SMTP, SSH)
be4(Any TCP, TLS, or QUIC Server)
end
h1-->prx
h2-->prx
h3-->prx
h4-->prx
prx-->be1
prx-->be2
prx-->be3
prx-->be4
TLSPROXY is a versatile TLS termination proxy designed to secure various network services. It automatically handles TLS encryption using Let's Encrypt, allowing multiple services and server names to share the same port. Beyond TLS termination, TLSPROXY can function as a simple web server, a reverse proxy for HTTP(S) services, and offers robust user authentication and authorization features.
Key Features:
To install TLSPROXY from its source code, follow these steps:
git clone https://github.com/c2FmZQ/tlsproxy.git
cd tlsproxy
go generate ./...
go build -o tlsproxy
You can use the official Docker image from Docker Hub. Here's an example command:
docker run \
--name=tlsproxy \
--user=1000:1000 \
--restart=always \
--volume=${CONFIGDIR}:/config \
--volume=${CACHEDIR}:/.cache \
--publish=80:10080 \
--publish=443:10443 \
--env=TLSPROXY_PASSPHRASE="<passphrase>" \
c2fmzq/tlsproxy:latest
The proxy reads the configuration from ${CONFIGDIR}/config.yaml.
:warning: The ${TLSPROXY_PASSPHRASE} environment variable is crucial as it's used to encrypt the TLS secrets.
Precompiled binaries for various platforms are available on the release page.
It is highly recommended to verify the authenticity of downloaded binaries and container images.
Container Image:
To verify the authenticity of a container image, use cosign:
cosign verify \
--certificate-identity-regexp='^https://github[.]com/c2FmZQ/tlsproxy/[.]github/workflows/release[.]yml' \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
c2fmzq/tlsproxy:latest
Alternatively, if you have the public key:
cosign verify --key keys/cosign.pub c2fmzq/tlsproxy:latest
Release Binary:
To verify the authenticity of a release binary, first import the c2FmZQ-bot.pub key:
curl https://raw.githubusercontent.com/c2FmZQ/tlsproxy/main/keys/c2FmZQ-bot.pub | gpg --import
Then, verify the signature (e.g., for tlsproxy-linux-amd64):
gpg --verify tlsproxy-linux-amd64.sig tlsproxy-linux-amd64
TLSPROXY is configured using a YAML file, typically named config.yaml. This file defines how the proxy behaves, including backend services, authentication methods, and security settings.
The examples directory contains full configuration files for various use cases.
config.yaml StructureThe main configuration options are:
acceptTOS: (Required) Boolean. Indicates acceptance of the Let's Encrypt Terms of Service. Must be true for Let's Encrypt to function.email: (Optional) String. Your email address, used by Let's Encrypt for important notifications.httpAddr: (Optional) String. The address where the proxy listens for HTTP connections (e.g., ":80" or ":10080"). Essential for Let's Encrypt's http-01 challenge.tlsAddr: (Required) String. The address where the proxy listens for TLS connections (e.g., ":443" or ":10443").enableQUIC: (Optional) Boolean. Enables QUIC protocol support. Defaults to true if compiled with QUIC support.ech: (Optional) Object. Configures Encrypted Client Hello (ECH).acceptProxyHeaderFrom: (Optional) List of CIDRs. Enables PROXY protocol for connections from specified IP ranges.hwBacked: (Optional) Boolean. Enables hardware-backed cryptographic keys (e.g., with a TPM).cacheDir: (Optional) String. Directory for storing TLS certificates, OCSP responses, etc. Defaults to a system cache directory.defaultServerName: (Optional) String. Server name to use when SNI is not provided by the client.logFilter: (Optional) Object. Controls what gets logged (connections, requests, errors).groups: (Optional) List of Group objects. Defines user groups for access control.backends: (Required) List of Backend objects. Defines the services TLSPROXY will forward traffic to.oidc: (Optional) List of ConfigOIDC objects. Defines OpenID Connect identity providers.saml: (Optional) List of ConfigSAML objects. Defines SAML identity providers.passkey: (Optional) List of ConfigPasskey objects. Defines Passkey managers.pki: (Optional) List of ConfigPKI objects. Defines local Certificate Authorities.sshCertificateAuthorities: (Optional) List of ConfigSSHCertificateAuthority objects. Defines local SSH Certificate Authorities.tlsCertificates: (Optional) List of TLSCertificate objects. Specifies pre-existing TLS certificates to use.bwLimits: (Optional) List of BWLimit objects. Defines named bandwidth limit groups.webSockets: (Optional) List of WebSocketConfig objects. Defines WebSocket endpoints.See the GoDoc for complete and up-to-date documentation.
Backend Object)Each Backend object defines a service and its behavior:
serverNames: (Required) List of strings. DNS names for this service.mode: (Required) String. Controls how the proxy communicates with the backend. Valid values include TCP, TLS, TLSPASSTHROUGH, QUIC, HTTP, HTTPS, LOCAL, CONSOLE.addresses: (Optional) List of strings. Backend server addresses (e.g., 192.168.1.10:80).documentRoot: (Optional) String. Directory for serving static files (only if addresses is empty).clientAuth: (Optional) Object. Configures TLS client authentication.acl: (Optional) List of strings. Restricts client identities (email, subject, DNS, URI).rootCAs: (Optional) List of strings. CA names or PEM-encoded certificates for client verification.addClientCertHeader: (Optional) List of strings. Specifies which client certificate fields to add to X-Forwarded-Client-Cert header.sso: (Optional) Object. Configures Single Sign-On for the backend.provider: String. Name of an OIDC or SAML provider.rules: List of SSORule objects. Defines path-matching rules for SSO enforcement.htmlMessage: String. HTML message displayed on permission denied screen (not escaped).setUserIdHeader: Boolean. Sets x-tlsproxy-user-id header with user's email.generateIdTokens: Boolean. Generates ID tokens for authenticated users.localOIDCServer: Object. Configures a local OpenID Provider.exportJwks: (Optional) String. Path to export the proxy's JSON Web Key Set.alpnProtos: (Optional) List of strings. ALPN protocols supported by this backend.backendProto: (Optional) String. Protocol for forwarding HTTPS requests to the backend (e.g., http/1.1, h2, h3).insecureSkipVerify: (Optional) Boolean. Disables backend server TLS certificate verification (use with caution).forwardServerName: (Optional) String. ServerName to send in TLS handshake with backend.forwardRootCAs: (Optional) List of strings. CA names or PEM-encoded certificates for backend verification.forwardTimeout: (Optional) Duration. Connection timeout to backend servers.forwardHttpHeaders: (Optional) Map of strings. HTTP headers to add to forwarded requests.forwardECH: (Optional) Object. ECH parameters for connecting to the backend.pathOverrides: (Optional) List of PathOverride objects. Defines different backend parameters for specific path prefixes.proxyProtocolVersion: (Optional) String. Enables PROXY protocol on this backend (v1 or v2).sanitizePath: (Optional) Boolean. Sanitizes request path before forwarding (defaults to true).serverCloseEndsConnection: (Optional) Boolean. Closes TCP connection when server closes its end.clientCloseEndsConnection: (Optional) Boolean. Closes TCP connection when client closes its end.halfCloseTimeout: (Optional) Duration. Timeout for half-closed TCP connections.The SSORule
$ claude mcp add tlsproxy \
-- python -m otcore.mcp_server <graph>